MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a6ca5523fce6a4a43964319c35ecb868186465309e9226ab07c158519a5ef6f9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments

SHA256 hash: a6ca5523fce6a4a43964319c35ecb868186465309e9226ab07c158519a5ef6f9
SHA3-384 hash: Calculating hash
SHA1 hash: Calculating hash
MD5 hash: 280bfd5ea1f41586ea0ef60ee44bc8db
humanhash: Calculating hash
File name:Install.exe
Download: download sample
Signature Formbook
File size:4'713'759 bytes
First seen:2022-03-27 00:28:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash Calculating imphash
ssdeep Calculating ssdeep hash
Threatray 2'359 similar samples on MalwareBazaar
TLSH Calculating TLSH
telfhash Calculating telfhash
Reporter @tolisec
Tags:exe FormBook

Intelligence


File Origin
# of uploads :
1
# of downloads :
217
Origin country :
GB GB
Mail intelligence
No data
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% directory
Creating a process from a recently created file
Searching for the window
Launching a process
Running batch commands
Using the Windows Management Instrumentation requests
–°reating synchronization primitives
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Creating a file
Creating a file in the %temp% directory
Searching for synchronization primitives
Creating a window
Launching the default Windows debugger (dwwin.exe)
Possible injection to a system process
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Enabling autorun by creating a file
Using obfuscated Powershell scripts
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe overlay packed racealer shell32.dll
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Verdict:
Malicious
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for dropped file
Creates a thread in another existing process (thread injection)
Creates files in the system32 config directory
Encrypted powershell cmdline option found
Found suspicious powershell code related to unpacking or dynamic code loading
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Potential dropper URLs found in powershell memory
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Suspicious Svchost Process
Uses nslookup.exe to query domains
Uses schtasks.exe or at.exe to add and modify task schedules
Very long command line found
Writes to foreign memory regions
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 597646 Sample: Install.exe Startdate: 27/03/2022 Architecture: WINDOWS Score: 100 84 Multi AV Scanner detection for submitted file 2->84 86 .NET source code contains potential unpacker 2->86 88 .NET source code references suspicious native API functions 2->88 90 8 other signatures 2->90 10 Install.exe 9 2->10         started        13 powershell.exe 2->13         started        16 chrome.exe 2->16         started        18 powershell.exe 2->18         started        process3 file4 78 C:\...\ChiefKeefofficialnaxyi_crypted(6).exe, PE32 10->78 dropped 80 C:\Users\user\AppData\Roaming\34432.exe, PE32+ 10->80 dropped 20 34432.exe 5 10->20         started        24 ChiefKeefofficialnaxyi_crypted(6).exe 1 10->24         started        122 Creates files in the system32 config directory 13->122 124 Writes to foreign memory regions 13->124 126 Modifies the context of a thread in another process (thread injection) 13->126 128 Injects a PE file into a foreign processes 13->128 26 dllhost.exe 13->26         started        28 conhost.exe 13->28         started        130 Antivirus detection for dropped file 16->130 132 Multi AV Scanner detection for dropped file 16->132 134 Machine Learning detection for dropped file 16->134 30 cmd.exe 16->30         started        136 Found suspicious powershell code related to unpacking or dynamic code loading 18->136 32 conhost.exe 18->32         started        signatures5 process6 file7 76 C:\Users\user\AppData\Roaming\...\chrome.exe, PE32+ 20->76 dropped 102 Antivirus detection for dropped file 20->102 104 Multi AV Scanner detection for dropped file 20->104 106 Machine Learning detection for dropped file 20->106 118 2 other signatures 20->118 34 cmd.exe 20->34         started        36 cmd.exe 1 20->36         started        39 cmd.exe 20->39         started        41 nslookup.exe 20->41         started        108 Writes to foreign memory regions 24->108 110 Allocates memory in foreign processes 24->110 112 Injects a PE file into a foreign processes 24->112 43 AppLaunch.exe 15 3 24->43         started        46 conhost.exe 24->46         started        114 Creates a thread in another existing process (thread injection) 26->114 52 5 other processes 26->52 116 Encrypted powershell cmdline option found 30->116 48 powershell.exe 30->48         started        50 conhost.exe 30->50         started        signatures8 process9 dnsIp10 54 chrome.exe 34->54         started        56 conhost.exe 34->56         started        92 Encrypted powershell cmdline option found 36->92 94 Uses schtasks.exe or at.exe to add and modify task schedules 36->94 58 powershell.exe 19 36->58         started        60 powershell.exe 23 36->60         started        62 conhost.exe 36->62         started        64 conhost.exe 39->64         started        66 schtasks.exe 39->66         started        82 ip-api.com 208.95.112.1, 49735, 80 TUT-ASUS United States 43->82 96 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 43->96 98 Found suspicious powershell code related to unpacking or dynamic code loading 48->98 signatures11 process12 process13 68 cmd.exe 54->68         started        signatures14 100 Encrypted powershell cmdline option found 68->100 71 powershell.exe 68->71         started        74 conhost.exe 68->74         started        process15 signatures16 120 Found suspicious powershell code related to unpacking or dynamic code loading 71->120
Gathering data
Gathering data
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in System32 directory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
698e4beeba26363e632cbbb833fc8000cf85ab5449627bf0edc8203f05a64fa1
MD5 hash:
11bbdf80d756b3a877af483195c60619
SHA1 hash:
99aca4f325d559487abc51b0d2ebd4dca62c9462
SH256 hash:
cc362303245f5e793362ab3e80d048801ddfa2323e4c36041c6c930131c37255
MD5 hash:
5334749be3300656959786b97f9e011f
SHA1 hash:
b3ccb86457996a885ad7f214755d50634a69ea6f
SH256 hash:
5baeaa0ac94de675c09d3d537b6fc70523a086bb329200f0c70e9d878a58439f
MD5 hash:
606d5cf003e27f39b00d406211f01374
SHA1 hash:
6609e981b8ba7a624fe5b65e6cf35e5ae8e698e2
SH256 hash:
a6ca5523fce6a4a43964319c35ecb868186465309e9226ab07c158519a5ef6f9
MD5 hash:
280bfd5ea1f41586ea0ef60ee44bc8db
SHA1 hash:
57aa866f42bccbaceed938390001148323d033c1

YARA Signatures


MalareBazaar uses YARA rules from several public and non-public repositories, such as Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious proccess dumps they may create. Please note that only results from TLP:WHITE rules are being displayeyd.

Rule name:extracted_at_0x44b
Author:cb
Description:sample - file extracted_at_0x44b.exe
Reference:Internal Research
Rule name:pe_imphash
Rule name:Skystars_Malware_Imphash
Author:Skystars LightDefender
Description:imphash

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments